DevOps
/
HC-vault-on-aws-FORK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

launch template and auto scaling group

This commit is contained in:
J Cole Morrison 2020-04-13 18:31:14 -07:00
parent 055a1c546d
commit a866b0ec9f
7 changed files with 177 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
ec2-auto-scaling-group.tf Normal file
View File

@ -0,0 +1,52 @@
# EC2 Auto Scaling Group
resource "aws_autoscaling_group" "vault-asg" {
name_prefix = "${var.main_project_tag}-asg-"
launch_template {
id = aws_launch_template.vault_instance.id
version = aws_launch_template.vault_instance.latest_version
}
# All the same to keep at a fixed size
desired_capacity = var.vault_instance_count
min_size = var.vault_instance_count
max_size = var.vault_instance_count
# AKA the subnets to launch resources in
vpc_zone_identifier = aws_subnet.private.*.id
health_check_grace_period = 300
health_check_type = "EC2"
termination_policies = ["OldestLaunchTemplate"]
wait_for_capacity_timeout = 0
enabled_metrics = [
"GroupDesiredCapacity",
"GroupInServiceCapacity",
"GroupPendingCapacity",
"GroupMinSize",
"GroupMaxSize",
"GroupInServiceInstances",
"GroupPendingInstances",
"GroupStandbyInstances",
"GroupStandbyCapacity",
"GroupTerminatingCapacity",
"GroupTerminatingInstances",
"GroupTotalCapacity",
"GroupTotalInstances"
]
tags = [
{
key = "Name"
value = "${var.main_project_tag}-instance"
propagate_at_launch = true
},
{
key = "Project"
value = var.main_project_tag
propagate_at_launch = true
}
]
}

45
ec2-launch-template.tf Normal file
View File

@ -0,0 +1,45 @@
# EC2 Launch Template
resource "aws_launch_template" "vault_instance" {
name_prefix = "${var.main_project_tag}-lt-"
image_id = var.use_lastest_ami ? data.aws_ssm_parameter.latest_ami.value : "ami-0323c3dd2da7fb37d"
instance_type = var.vault_instance_type
key_name = var.ec2_key_pair_name
vpc_security_group_ids = [aws_security_group.vault_instance.id]
iam_instance_profile {
arn = aws_iam_instance_profile.vault_instance_profile.arn
}
tag_specifications {
resource_type = "instance"
tags = merge(
{ "Name" = "${var.main_project_tag}-instance" },
{ "Project" = var.main_project_tag }
)
}
tag_specifications {
resource_type = "volume"
tags = merge(
{ "Name" = "${var.main_project_tag}-volume" },
{ "Project" = var.main_project_tag }
)
}
tags = merge(
{ "Name" = "${var.main_project_tag}-lt" },
{ "Project" = var.main_project_tag }
)
user_data = base64encode(templatefile("${path.module}/files/userdata.sh", {
VAULT_VERSION = var.vault_version
VAULT_CLUSTER_NAME = var.main_project_tag
VAULT_DNS = var.domain_name
VAULT_KMS_KEY_ID = aws_kms_key.seal.key_id
VAULT_CLUSTER_REGION = data.aws_region.current.name
VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name....
VAULT_S3_BUCKET_NAME = aws_s3_bucket.vault_data.id
}))
}

15
files/userdata.sh
View File

@ -72,8 +72,9 @@ max_lease_ttl = "192h" # One week
default_lease_ttl = "192h" # One week default_lease_ttl = "192h" # One week
ui = "true" ui = "true"
# Where can the Vault API be reached? At the load balancer. # Where can the Vault API be reached? At DNS for the load balancer, or the CNAME created.
api_addr = "https://${VAULT_LOAD_BALANCER_DNS}" # Note: this maps to the environment variable VAULT_API_ADDR not VAULT_ADDR
api_addr = "https://${VAULT_DNS}"
# For forwarding between vault servers. Set to own ip. # For forwarding between vault servers. Set to own ip.
cluster_addr = "http://INSTANCE_IP_ADDR:8201" cluster_addr = "http://INSTANCE_IP_ADDR:8201"
@ -84,6 +85,7 @@ seal "awskms" {
kms_key_id = "${VAULT_KMS_KEY_ID}" kms_key_id = "${VAULT_KMS_KEY_ID}"
} }
# Apply Listener for local
listener "tcp" { listener "tcp" {
address = "0.0.0.0:8200" address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201" cluster_address = "0.0.0.0:8201"
@ -120,7 +122,7 @@ AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes NoNewPrivileges=yes
ExecStart=/opt/vault/bin/vault server -config /opt/vault/config/ -log-level=info ExecStart=/opt/vault/bin/vault server -config=/opt/vault/config/ -log-level=debug
ExecReload=/bin/kill --signal HUP \$MAINPID ExecReload=/bin/kill --signal HUP \$MAINPID
KillMode=process KillMode=process
KillSignal=SIGINT KillSignal=SIGINT
@ -152,7 +154,7 @@ sed -i -e "s/INSTANCE_IP_ADDR/$INSTANCE_IP_ADDR/g" /opt/vault/config/server.hcl
systemctl daemon-reload systemctl daemon-reload
systemctl enable vault systemctl enable vault
systemctl restart vault # systemctl restart vault
--==BOUNDARY== --==BOUNDARY==
Content-Type: text/x-shellscript; charset="us-ascii" Content-Type: text/x-shellscript; charset="us-ascii"
@ -170,6 +172,9 @@ Content-Type: text/x-shellscript; charset="us-ascii"
# - Delete the local file # - Delete the local file
# - Erase bash history # - Erase bash history
export VAULT_ADDR="http://127.0.0.1:8200"
export AWS_DEFAULT_REGION="${VAULT_CLUSTER_REGION}"
VAULT_INITIALIZED=$(vault operator init -status) VAULT_INITIALIZED=$(vault operator init -status)
function initialize_vault { function initialize_vault {
@ -192,7 +197,7 @@ if [ "$VAULT_INITIALIZED" = "Vault is initialized" ]; then
echo "Vault is already initialized." echo "Vault is already initialized."
else else
echo "Initializing vault..." echo "Initializing vault..."
initialize_vault # initialize_vault
fi fi
--==BOUNDARY==-- --==BOUNDARY==--

2
outputs.tf
View File

@ -3,7 +3,7 @@ resource "local_file" "user_data_compiled" {
content = templatefile("${path.module}/files/userdata.sh", { content = templatefile("${path.module}/files/userdata.sh", {
VAULT_VERSION = var.vault_version VAULT_VERSION = var.vault_version
VAULT_CLUSTER_NAME = var.main_project_tag VAULT_CLUSTER_NAME = var.main_project_tag
VAULT_LOAD_BALANCER_DNS = aws_lb.alb.dns_name VAULT_DNS = var.domain_name
VAULT_KMS_KEY_ID = aws_kms_key.seal.key_id VAULT_KMS_KEY_ID = aws_kms_key.seal.key_id
VAULT_CLUSTER_REGION = data.aws_region.current.name VAULT_CLUSTER_REGION = data.aws_region.current.name
VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name.... VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name....

16
variables.tf
View File

@ -105,6 +105,22 @@ variable "use_lastest_ami" {
default = false default = false
} }
# EC2 - Vault Instance Launch Template
variable "vault_instance_type" {
description = "The EC2 instance size of the vault instances."
type = string
default = "t2.micro"
}
# EC2 - Vault Instance AutoScaling Group
variable "vault_instance_count" {
description = "The number of EC2 instances to launch as vault instances. Should be no less than 2."
type = number
default = 2
}
# SSL Certificate for HTTPS Access # SSL Certificate for HTTPS Access
variable "domain_name" { variable "domain_name" {

52
vpc-security-groups.tf
View File

@ -79,6 +79,16 @@ resource "aws_security_group_rule" "vault_instance_allow_8201" {
description = "Allow traffic from fellow vault instances that have this SG." description = "Allow traffic from fellow vault instances that have this SG."
} }
resource "aws_security_group_rule" "vault_instance_allow_22_bastion" {
security_group_id = aws_security_group.vault_instance.id
type = "ingress"
protocol = "tcp"
from_port = 22
to_port = 22
source_security_group_id = aws_security_group.bastion.id
description = "Allow SSH traffic from vault bastion."
}
resource "aws_security_group_rule" "vault_instance_allow_outbound" { resource "aws_security_group_rule" "vault_instance_allow_outbound" {
security_group_id = aws_security_group.vault_instance.id security_group_id = aws_security_group.vault_instance.id
type = "egress" type = "egress"
@ -121,4 +131,46 @@ resource "aws_security_group_rule" "bastion_allow_outbound" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = length(var.allowed_bastion_cidr_blocks_ipv6) > 0 ? ["::/0"] : null ipv6_cidr_blocks = length(var.allowed_bastion_cidr_blocks_ipv6) > 0 ? ["::/0"] : null
description = "Allow any outbound traffic." description = "Allow any outbound traffic."
}
## KMS Endpoint SG
resource "aws_security_group" "kms_endpoint" {
name_prefix = "${var.main_project_tag}-kms-endpoint-sg"
description = "Firewall for the KMS Endpoint."
vpc_id = aws_vpc.vault.id
tags = merge(
{ "Name" = "${var.main_project_tag}-kms-endpoint-sg" },
{ "Project" = var.main_project_tag }
)
}
resource "aws_security_group_rule" "vault_instance_allow_80" {
security_group_id = aws_security_group.kms_endpoint.id
type = "ingress"
protocol = "tcp"
from_port = 80
to_port = 80
source_security_group_id = aws_security_group.vault_instance.id
description = "Allow HTTP traffic from vault instances."
}
resource "aws_security_group_rule" "vault_instance_allow_443" {
security_group_id = aws_security_group.kms_endpoint.id
type = "ingress"
protocol = "tcp"
from_port = 443
to_port = 443
source_security_group_id = aws_security_group.vault_instance.id
description = "Allow HTTPS traffic from vault instances."
}
resource "aws_security_group_rule" "kms_allow_outbound" {
security_group_id = aws_security_group.kms_endpoint.id
type = "egress"
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
description = "Allow any outbound traffic."
} }

2
vpc.tf
View File

@ -225,7 +225,7 @@ resource "aws_vpc_endpoint" "kms" {
// Can also be done with "aws_vpc_endpoint_subnet_association" // Can also be done with "aws_vpc_endpoint_subnet_association"
subnet_ids = aws_subnet.private.*.id subnet_ids = aws_subnet.private.*.id
security_group_ids = [aws_security_group.vault_instance.id] security_group_ids = [aws_security_group.kms_endpoint.id]
tags = merge( tags = merge(
{ "Name" = "${var.main_project_tag}-kms-endpoint"}, { "Name" = "${var.main_project_tag}-kms-endpoint"},